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REMARKS 

Applicants submit this Reply in response to the final Official Action in the Request for 
Continued Examination (RCE) of the above-identified patent application. In the Official Action, 
the Examiner continues to reject, or now additionally rejects, all of the pending claims of the 
present application, namely Claims 1-20 and 25-32, under 35 U.S.C. §103(a) as being 
unpatentable over U.S. Patent No. 5,798,706 to Jeffrey A. Kraemer, et al., in view of PCT Patent 
Application Publication No. WO 97/26734 to Kirby et al. As explained below, however, 
Applicants respectfully submit that the claimed invention is patentably distinct from Kraemer 
and Kirby, taken individually or in combination and, accordingly, traverse this rejection of the 
claims. Nonetheless, Applicants have amended various ones of the claims to further clarify the 
claimed invention. In view of the amendments to the claims and the remarks presented herein, 
Applicants respectfully request reconsideration of the present application and allowance of the 
claims. 1 

A. Functional Claim Language 

Initially, Applicants note that in the response to arguments section of the Official Action, 
the Official Action appears to be suggesting a "statement of use" argument for discounting 
limitations of the claims. Official Action of March 26, 2007, page 3. In contrast to the 
allegation of the Official Action, however, Applicants respectfully submit that functional 
language, such as "adapted to," is definite and acceptable claim language. Section 2173.05(g) of 
the MPEP defines a functional limitation as "an attempt to define something by what it does, 
rather than what it is (e.g., as evidenced by its specific structure or specific ingredients)." In this 
regard, a functional limitation is often used in association with an element to "define a particular 
capability or purpose that is served by the recited element, ingredient or step." Id. More 
particularly, the Court of Customs and Patent Appeals (predecessor to the Court of Appeals for 



1 As Applicants' remarks with respect to the Examiner's rejections are sufficient to overcome these 

rejections, Applicants' silence as to assertions by the Examiner in the Official Action or certain requirements that 
may be applicable to such rejections (e.g., whether a reference constitutes prior art, motivation to combine 
references) is not a concession by Applicants that such assertions are accurate or such requirements have been met, 
and Applicants reserve the right to analyze and dispute such in the future. 
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the Federal Circuit) has held that the limitations " adapted to be fitted," " adapted to be affixed" 
and " adapted to be positioned," "serve to precisely define present structural attributes of 
interrelated component parts of the claimed assembly." MPEP § 2173.05(g), citing In re 
Venezia, 530 F.2d 956 (C.C.P.A. 1976) (emphasis added). 

Notwithstanding the foregoing, to expedite prosecution of the present application, 
Applicants have amended a number of the claims of the present application to remove the 
"adapted to" language. More particularly, Applicants have amended a number of the claims to 
include components "configured to" perform various functions. In this regard, Applicants note 
that it has been held that an apparatus configured (e.g., programmed) to perform various steps or 
functions creates a new apparatus. See In reAlappat , 33 F.3d 1526, 1545 (Fed. Cir. 1994); and 
see id. at 1569-1570 (Newman, concurring) ("Alappat's rasterizer is an electronic device for 
displaying a smooth waveform by selective illumination of pixels. The Alappat rasterizer 
operates by performing a sequence of steps in accordance with instructions that are generated 
electronically. . . . The structure resides in the configuration by which the device operates , as [the 
majority] has explained, and is independent of how that configuration is provided.") (emphasis 
added). 

Applicants therefore respectfully submit that to the extent the claims of the present 
application include structure positively performing various functions, or include components 
configured to perform various functions, those limitations must be evaluated and considered like 
any other claim limitation, and that to anticipate such limitations, the prior art must explicitly or 
inherently disclose those limitations. Moreover, Applicants respectfully submit that even if the 
Examiner maintains the aforementioned interpretation of various ones of the claims, various 
others of the claims, including at least Claims 6-20 and 27-32, do not include such "adapted to" 
language and therefore should not be subject to the same alleged deficiency. 

B. The Claimed Invention is Patentable over Kraemer in view of Kirby 
Amended independent Claim 1 of the present application sets forth an apparatus for 
detecting adversarial activity on a network that includes: 

a memory configured to store a host table; 
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a key exchanger configured to repeatedly derive a cipher key such 
that the resulting cipher key changes over time; 

a translator configured to detranslate predetermined portions of 
packet header information of a data packet according to a cipher algorithm keyed 
by the cipher key, wherein the predetermined portions include a previously 
translated address, the previously translated address being detranslated into the 
address; 

a mapping device configured to map the address to the host table; 

a host resolution device configured to issue a request to the 
network to resolve the address when the address does not match an entry in the 
host table and to supplement the host table with the address upon receipt of a 
reply to the request that indicates that the address is valid; and 

an actuator configured to trigger a security device when the 
address does not match an entry in the host table. 

In contrast to amended independent Claim 1, Applicants respectfully submit that Kraemer in 

view of Kirby does not teach or suggest an apparatus with the aforementioned features, including 

a translator configured to detranslate predetermined portions of packet header information of a 

data packet according to a cipher algorithm keyed by the cipher key, wherein the predetermined 

portions include a previously translated address. As conceded in the Official Action, Kraemer 

does not teach or suggest a key exchanger adapted to repeatedly derive a cipher key, or a 

translator adapted to translate predetermined portions of packet header information (including an 

address) of a data packet according to a cipher algorithm keyed by the cipher key. Nonetheless, 

the Official Action alleges that Kirby discloses this feature, and that one skilled in the art would 

have been motivated to modify Kraemer to include the feature for the purpose of providing 

enhanced security. Applicants respectfully disagree, and submit that even if Kraemer and Kirby 

do disclose respective features of independent Claim 1 (presumed for the sake of argument, but 

expressly without admission), one skilled in the art would not have been motivated to combine 

Kraemer and Kirby as alleged . 

Kraemer describes an internal LAN configuration designed to detect back door 

communication between a workstation on the internal LAN and device outside of the network. 

As example, this back door communication could be conducted via a modem associated with a 

workstation that connects to a device outside of the network in the manner that is independent of 

the gateway through which communications with devices outside of the network are intended to 
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flow. According to Kraemer, a packet scanner connected to the network compares the source 
and destination address of packets transmitted over the network to addresses on two different 
tables. A first table includes the address of the devices on the network, while the second table 
identifies the hardware address of the gateways authorized to be connected to the network. See 
Kraemer, col. 3, 11. 46-59. 

If the source and destination addresses are not included in the tables, Kraemer describes 
various event routines being performed which may include logging of information relating to the 
destination and source devices in the content of the packet at the time at which the event 
occurred and the like. In this regard, Kraemer further discloses that whereas the information 
may include the hardware addresses of the devices, such information may be cumbersome for 
administrators. Thus, Kraemer discloses that a reverse address resolution protocol (RARP) 
server may be connected to the network for translating hardware addresses to IP addresses that 
are typically well known by the administrator. 

In the Official Action, the hardware address to IP address translation is alleged to 
correspond to the packet header translation (or now detranslation) feature of independent Claim 
1 . The Official Action then seemingly suggests that one skilled in the art would have been 
motivated to modify this translation so that it occurs according to a cipher algorithm keyed by a 
repeatedly-generated cipher key to "provide enhanced security capabilities." However, Kraemer 
discloses translating a hardware address to an IP address for the explicit purpose of providing the 
address in a form well known to a network administrator. To instead translate the hardware 
address according to a cipher algorithm keyed by a repeatedly-generated cipher key, then, would 
clearly change the principle of operation of Kraemer in providing an address in a form well 
known to a network administrator . And as stated in MPEP § 2143.01, "[a] proposed 
modification cannot change the principle of operation of a reference" to support a § 103 
rejection. Moreover, not only would the modification proffered by the Official Action change 
the principle of operation of Kraemer, but Applicants note that the approach of the claimed 
invention is intended to accomplish a result just the opposite from providing an address in a well- 
known form as in Kraemer since its instead intended to further encrypt and secure portions of a 
data packet. 
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Applicants further note that Kraemer does not address or have any relation to network 
authentication, and as such, one skilled in the art would not have been led to modify Kraemer to 
include the Kerberos Network Authentication Service attributed to Kirby. Rather, Kraemer 
addresses scenarios whereby an unauthorized workstation attempts to communicate across an 
internal LAN, where an unauthorized workstation may be identified by its absence in one of the 
aforementioned tables. Nowhere, however, does Kraemer concern itself with a workstation 
authenticating itself to the network, or the packet scanner of the network. In fact, most of the 
operation of the Kraemer system occurs within the internal LAN, which Kraemer at least 
strongly suggests is a trusted network. Thus, even if one could argue that adding the Kerberos 
Network Authentication Service as disclosed by Kirby to a system generally increases the 
system's security, one skilled in the art would be less likely, if at all likely, to add such a service 
to the internal LAN communications of Kraemer. 

Applicants therefore respectfully submit that amended independent Claim 1 , and by 
dependency Claims 2-5, 25 and 26, are patentably distinct from any proper combination of 
Kraemer in view of Kirby. 2 Applicants also respectfully submit that amended independent 
Claims 6, 1 1 and 16 all set forth subject matter similar to that of independent Claim 1, including 
the aforementioned packet header-detranslation feature. Thus, Applicants respectfully submit 
that amended independent Claims 6, 1 1 and 16, and by dependency Claims 7-10, 12-15, 17-20 
and 27-32, are also patentably distinct from Kraemer in view of Kirby for at least the same 
reasons given above with respect to independent Claim 1 . In addition, Applicants respectfully 
submit that various ones of 2-5, 7-10, 12-15, 17-20 and 25-32 set forth subject matter further 
patentably distinct from Kraemer in view of Kirby, as explained below 

1. Claims 25, 2 7, 29 and 31 

As explained above, amended independent Claims 1,6, 11 and 1 6, and by dependency 
Claims 2-5, 7-10, 12-15, 17-20 and 25-32, are patentably distinct from Kraemer in view of 

2 As Applicants' remarks with respect to the base independent claims are sufficient to overcome the 

Examiner's rejection of all claims dependent therefrom, Applicants' silence as to the Examiner's assertions with 
respect to the dependent claims is not a concession by Applicants to the Examiner's assertions as to these claims, 
and Applicants reserve the right to analyze and dispute such assertions in the future. 
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Kirby. Applicants further respectfully submit that at least amended dependent Claims 25, 27, 29 

and 3 1 recite features further patentably distinct from Kraemer and Kirby, taken individually or 

in combination. In this regard, amended dependent Claim 25 (and similarly Claims 27, 29 and 

31), further provide the following: 

An apparatus as set forth in Claim 1, wherein the address includes a 
network portion and an apparatus portion, the apparatus portion of the address 
having been translated without the network portion also being translated, and 
wherein said translator is configured to detranslate the apparatus portion of the 
address without also detranslating the network portion of the address. 

For the translation of the apparatus portion of the address without also translating the network 

portion of the address, the Official Action cites page 11, lines 17-22 of Kirby. Applicants 

respectfully disagree, however, and submit that Kirby (as well as Kraemer) does not in fact teach 

or suggest the aforementioned translation feature, or the now-added detranslation feature of 

Claims 25, 27, 29 and 31. 

As disclosed with relation to the cited passage of Kirby (i.e., page 11, lines 17-22), a 

network architecture includes firewall computers 146, 148 in communication across a number of 

tunnels 140, 142 across the Internet 152. See also FIG. 8. As also disclosed, firewall 146 may 

be connected to an internal network 154 also including computers 156 and 158; and computer 

158 may be another firewall computer between internal network 154 and another internal 

network 160, the other internal network 160 further including a computer 162. With a view to 

the aforementioned architecture, then, the cited paragraph of Kirby reads as follows: "The only 

addresses visible on the internet and on internal network 154 are the addresses of the firewall 

computers 146, 148, and 158. The address of internal computer 162 and, hence, the network 

topology of network 160 are protected on both the internet and internal network 154." Kirby, 

page 11, lines 17-22. 

Kirby therefore discloses an instance in which the addresses of some of the system's 
computers may be encapsulated and encrypted, and thus, protected on the internet and other 
internal networks; and the addresses of others of the system's computers are not encapsulated 
and encrypted, and are therefore visible on the internet and other internal networks. In either 
instance, nowhere does Kirby teach or suggest any address, including a network portion and an 
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apparatus portion, and encapsulating/encrypting (or decapsulating/decrypting) the apparatus 
portion of the address without also encapsulating/encrypting (or decapsulating/decrypting) the 
network portion of the address , similar to Claims 25, 27, 29 and 31 which include detranslating 
the apparatus portion without also detranslating the network portion (the apparatus portion 
having been translated without the network portion). Rather, for those addresses 
encapsulated/encrypted, Kirby discloses or at least strongly suggests encapsulating/encrypting 
the entire address, which in the context of a conventional TCP/IP packet includes both a network 
portion and an apparatus portion. See Pat. Appl., pages 19-20, paragraph 0042. Thus, Claims 

25, 27, 29 and 3 1 include an address including two portions, and detranslating one of those 
portions without also detranslating the other portion (the one portion having been translated 
without the other). In contrast, Kirby discloses (or at the very least strongly suggests) 
encapsulating/encrypting the entire address, and accordingly for those instances in which an 
address includes two portions, encapsulating/encrypting both portions. 

Similar to Kirby, Applicants note that Kraemer also does not teach or suggest the 
aforementioned feature of Claims 25, 27, 29 and 31; and as such, neither Kraemer nor Kirby, 
taken individually or in combination, teach or suggest the aforementioned feature of Claims 25, 
27, 29 and 31. 

2. Claims 26, 28, 30 and 32 

Again, as explained above, amended independent Claims 1,6, 11 and 16, and by 
dependency Claims 2-5, 7-10, 12-15, 17-20 and 25-32, are patentably distinct from Kraemer in 
view of Kirby. Applicants further respectfully submit that at least amended dependent Claims 

26, 28, 30 and 32 recite features further patentably distinct from Kraemer and Kirby, taken 

individually or in combination. In this regard, amended dependent Claim 26 (and similarly 

Claims 28, 30 and 32), further sets forth the following: 

An apparatus as set forth in Claim 1, wherein the data packet includes a 
translated packet header with a plurality of fields carrying packet header 
information, the translated packet header including the translated packet header 
information in one or more predetermined fields of the translated packet header 
interspersed with un-translated packet header information in fields other than the 
one or more fields of the translated packet header, and 
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wherein said translator is configured to detranslate at least a portion of 
the packet header information in the one or more predetermined fields. 

For translating fields of a packet header, with the translated fields being interspersed with un- 
translated fields, the Official Action cites page 7, line 31 - page 8, line 9 of Kirby. Applicants 
respectfully disagree, however, and submit that Kirby (as well as Kraemer) does not in fact teach 
or suggest interspersing translated portions of a header with un-translated portions, or the 
detranslation of those translated portions, similar to Claims 26, 28, 30 and 32. 

As disclosed with relation to the cited passage of Kirby (i.e., 7, line 31 - page 8, line 9), 
and with reference to FIG. 6, a portion 92 of an encapsulated network packet 78 may be further 
encrypted, the further encrypted portion including data 84 and part of a swipe protocol header 
82. As disclosed by Kirby, the only header one could argue is partially encrypted is the swIPe 
protocol header. And nowhere does Kirby teach or suggest, however, that the encrypted portion 
of the swIPe protocol header is interspersed with (i.e., inserted among or otherwise between) the 
un-encrypted portion of the swIPe protocol header, as set forth by Claims 26, 28, 30 and 32 in 
relation to interspersing translated packet header information with un-translated packet header 
information. In fact, FIG. 6 of Kirby suggests that the encrypted portion of the swIPe protocol 
header is not interspersed with the un-encrypted portion of the swIPe protocol header. See FIG. 
6 (illustrating the relationship between the encrypted portion 92 of the packet 78 with respect to 
the swIPe protocol header 82). 

Similar to Kirby, Applicants note that Kraemer also does not teach or suggest the 
aforementioned feature of Claims 26, 28, 30 and 32; and as such, neither Kraemer nor Kirby, 
taken individually or in combination, teach or suggest the aforementioned feature of Claims 26, 
28, 30 and 32. 

For at least the foregoing reasons, Applicants respectfully submit that the rejection of 
Claims 1-20 and 25-32 as being unpatentable over Kraemer in view of Kirby is overcome. 
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CONCLUSION 



In view of the foregoing, it is respectfully submitted that all of the claims of the present 
application are in condition for immediate allowance. It is therefore respectively requested that a 
Notice of Allowance be issued. The Examiner is encouraged to contact Applicants' undersigned 
attorney to resolve any remaining issues in order to expedite examination of present application. 

It is not believed that extensions of time or fees for net addition of claims are required, 
beyond those that may otherwise be provided for in documents accompanying this paper. 
However, in the event that additional extensions of time are necessary to allow consideration of 
this paper, such extensions are hereby petitioned under 37 CFR § 1.136(a), and any fee required 
therefore (including fees for net addition of claims) is hereby authorized to be charged to Deposit 
Account No. 16-0605. 
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